Digital Forensics – Stage 1: Acquisition (Collection)

Digital Forensics – Stage 1: Acquisition (Collection)

Within the last decade, use of digital forensics has drastically increased.  The reasons for this are numerous, from mining to investigation to simple preservation as an insurance policy against future litigation. To understand when and where to spend money on digital forensics, it is important to understand first what you are buying, then understand when it should be used.

Digital forensics occurs in stages and understanding which stages need to occur in a given case is important and potentially will save you or your client from overspending.  “A digital forensic investigation commonly consists of 3 stages: acquisition…analysis, and reporting.”  Casey, Eoghan, Digital Evidence and Computer Crime, Second Edition.

Stage 1: Acquisition

Acquisition (collection) “involves creating an exact sector level duplicate (or “forensic duplicate”) of the media, often using a write blocking device to prevent modification of the original. Both acquired image and original media are hashed (using SHA-1 or MD5) and the values compared to verify the copy is accurate.”  Maarten Van Horenbeeck. “Technology Crime Investigation”, May 2008.  Targeted forensic collections can also occur that net specific data such as email.  Targeted collections are the most common and often one of the most useful scenarios.

Acquisition is the most common digital forensic procedure because it leads to others by necessity.  This is also generally a lesser expensive stage.  Even if stages two or three are never reached, collection can provide an excellent insurance policy or negotiation tool to parties who are or could possibly become involved in litigation.

Recommendation:  If you are or expect to be involved in litigation, by all means do either a targeted or full forensic collection as circumstances warrant.  This is a fairly low cost hedge against spoliation or loss of important data that could be critical to your cause.  Targeted collections, if they are sufficient for the matter, are preferable.

If you would like more information about eDiscovery, digital forensics or how TERIS can assist your legal team, reach out today.

Leave a Comment

You must be logged in to post a comment.